Skype, Dropbox Patch Critical Facebook Authentication Bugs
Contributed by: Email on 04/04/2013 03:16 PM
[
Comments
]
UPDATE Popular applications Skype and Dropbox fixed holes in their websites this week that could have allowed an attacker to gain control of users Facebook accounts. In whats technically being referred to as an open direct vulnerability, both applications failed to validate sites before sending users and their access tokens to them.
According to TechCrunch, security researcher Nir Goldshlager discovered the vulnerability and responsibly disclosed it to both Dropbox and Skype who went on to publish a fix for the flaw. Goldshlager has taken to calling the vulnerability the Unfix bug, since Facebook isnt directly responsible for fixing it.
When it comes to execution, as long as an attacker knew someone who had their Facebook account connected to either Dropbox or Skype, theyd be vulnerable.
An attacker could use Facebooks Graph API explorer to glean their ID, string together a URL comprised of that ID, a URL from Dropbox or Skype and set it up to redirect to a malicious site to grant them access to their the Facebook access token. According to Goldshlager, a Facebook access token could give an attacker access to anything the user had already granted the app to do. That includes pulling personal information from the compromised Facebook account and oftentimes the ability to post to their wall.
The attacker merely needs to locate a site redirection issue on the developer or owners app domain, and thats it. They will be able to take the access_tokens of any user on Facebook who uses that particular app, Goldshlager wrote on his blog yesterday.
According to a statement given to Techcrunch by Facebooks security team, the vulnerabilities, while not Facebooks fault, stemmed from faulty Oauth authorizations in the applications domains.
While not a Facebook bug, we have and will continue to work with our OAuth partners to prevent this exploit, the company said.
The issue with Skype, according to a Microsoft spokesperson, stemmed from a problem with a partner site.
"We investigated the issue, determined it was a third party vulnerability, and worked with the necessary people to help protect customers," according to the spokesperson.
Goldshlager, who recently founded his own Israeli-based firm, Break Security, has clearly found a niche digging up authentication bugs. It was only a few weeks ago that Facebook, where Goldshlager constantly appears on the companys White Hat Thank You list, fixed a separate vulnerability he found in Facebooks OAuth authentication dialog. That flaw, like this weeks, gave him full access to users accounts by wrestling away their unique access tokens.
Goldshlager addresses both Facebook authentication bugs in depth on his blog, which he recently moved to Break Security.
According to TechCrunch, security researcher Nir Goldshlager discovered the vulnerability and responsibly disclosed it to both Dropbox and Skype who went on to publish a fix for the flaw. Goldshlager has taken to calling the vulnerability the Unfix bug, since Facebook isnt directly responsible for fixing it.
When it comes to execution, as long as an attacker knew someone who had their Facebook account connected to either Dropbox or Skype, theyd be vulnerable.
An attacker could use Facebooks Graph API explorer to glean their ID, string together a URL comprised of that ID, a URL from Dropbox or Skype and set it up to redirect to a malicious site to grant them access to their the Facebook access token. According to Goldshlager, a Facebook access token could give an attacker access to anything the user had already granted the app to do. That includes pulling personal information from the compromised Facebook account and oftentimes the ability to post to their wall.
The attacker merely needs to locate a site redirection issue on the developer or owners app domain, and thats it. They will be able to take the access_tokens of any user on Facebook who uses that particular app, Goldshlager wrote on his blog yesterday.
According to a statement given to Techcrunch by Facebooks security team, the vulnerabilities, while not Facebooks fault, stemmed from faulty Oauth authorizations in the applications domains.
While not a Facebook bug, we have and will continue to work with our OAuth partners to prevent this exploit, the company said.
The issue with Skype, according to a Microsoft spokesperson, stemmed from a problem with a partner site.
"We investigated the issue, determined it was a third party vulnerability, and worked with the necessary people to help protect customers," according to the spokesperson.
Goldshlager, who recently founded his own Israeli-based firm, Break Security, has clearly found a niche digging up authentication bugs. It was only a few weeks ago that Facebook, where Goldshlager constantly appears on the companys White Hat Thank You list, fixed a separate vulnerability he found in Facebooks OAuth authentication dialog. That flaw, like this weeks, gave him full access to users accounts by wrestling away their unique access tokens.
Goldshlager addresses both Facebook authentication bugs in depth on his blog, which he recently moved to Break Security.
Comments
